How to create multiple network namespace from a single process instance

Question

I am using following C function to create multiple network namespaces from a single process instance:

void create_namespace         


        

Answer 1

You only have to bind mount /proc/*/ns/* if you need to access these namespaces from another process, or need to get handle to be able to switch back and forth between the two. It is not needed to use multiple namespaces from a single process.

• unshare does create new namespace.
• clone and fork by default do not create any new namespaces.
• there is one "current" namespace of each kind assigned to a process. It can be changed by unshare or setns. Set of namespaces (by default) is inherited by child processes.

Whenever you do open(/proc/N/ns/net), it creates inode for this file, and all subsequent open()s will return file that is bound to the same namespace. Details are lost in the depths of kernel dentry cache.

Also, each process has only one /proc/self/ns/net file entry, and bind mount does not create new instances of this proc file. Opening those mounted files are exactly the same as opening /proc/self/ns/net file directly (which will keep pointing to the namespace it pointed to when you first opened it).

It seems that "/proc/*/ns" is half-baked like this.

So, if you only need 2 namespaces, you can:

• open /proc/1/ns/net
• unshare
• open /proc/self/ns/net

and switch between the two.

For more that 2 you might have to clone(). There seems to be no way to create more than one /proc/N/ns/net file per process.

However, if you do not need to switch between namespaces at runtime, or to share them with other processes, you can use many namespaces like this:

• open sockets and run processes for main namespace.
• unshare
• open sockets and run processes for 2nd namespace (netlink, tcp, etc)
• unshare
• ...
• unshare
• open sockets and run processes for Nth namespace (netlink, tcp, etc)

Open sockets keep reference to their network namespace, so they will not be collected until sockets are closed.

You can also use netlink to move interfaces between namespaces, by sending netlink command on source namespace, and specifying dst namespace either by PID or namespace FD (the later you don't have).

You need to switch process namespace before accessing /proc entries that depend on that namespace. Once "proc" file is open, it keeps reference to the namespace.